Developers

If you're a developer, it's important to know how to keep your organization's cyber environment protected from malicious intruders. We have many resources to help you do just that. Ask yourself the following key questions and read on.

Read our FAQ to learn more about the CERT Division;watch videos and see other artifacts that summarize our latest research. If you have questions, please feel free to contact us.

Secure Lifecycle Solutions We combine Agile software development and human-centered design into our modern, adaptive, and iterative secure development and operational process.

Complexity Modeling and Analysis
The Software Assurance Modeling Framework provides a way to model aspects of the assurance ecosystem, such as security, and examine the gaps, barriers, and incentives that affect how you form, adopt, and use assurance solutions.

Software Security Assurance Measurement and Analysis
The goal of this research is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex, software-reliant systems across the lifecycle and supply chain.

Supply Chain Assurance
This research can help acquirers by describing an approach to assure the security of supply chains.

Survivability Analysis FrameworkThe SAF is a structured view of technology, people, and activities that helps organizations characterize the complexity of multi-system and multi-organizational business processes.

SQUARE
Security Quality Requirements Engineering (SQUARE) is a nine-step process that helps organizations build security, including privacy, into the early stages of the production lifecycle.

Are There Vulnerabilities in Your Software?

Our researchers help engineers detect, eliminate, and avoid creating vulnerabilities in software in multiple ways, including identifying insecure coding practices and developing secure alternatives that software developers can use to take practical steps to reduce or eliminate vulnerabilities before deployment.

Secure Coding ResearchOur researchers investigate how to avoid security problems and incorporate good coding practices looking at different coding topics, including thread usage, buffer overflow, the use of pointers, integer overflow, and more.

Blogging ResearchersOur researchers regularly contribute to the CERT/CC, SEI, and DevOps blogs to discuss security issues related to software development, as well as other topics.

Are Your Networks As Secure as They Need to Be?

We develop cutting-edge network analysis techniques and tools for operational use in high-impact environments so that organizations are better able to defend their networks from potential attacks.

FloCon Conferences
We sponsor FloCon conferences where operational network analysts, tool developers, researchers, and other parties interested in the analysis of large volumes of traffic showcase the next generation of flow-based analysis techniques. FloCon 2016 takes pace in Daytona Beach, Florida, in January 2016.

Are You Aware of Insider Threats?

Our work in insider threat enables effective insider threat programs by performing research, modeling, analysis, and outreach to define socio-technical best practices so that organizations are better able to deter, detect, and respond to evolving insider threats. Learn more about insider threats on our related work area pages and through the Cybersecurity Watch Survey. We can evaluate your organization and conduct a confidential insider threat vulnerability assessment.

How Can You Contribute to Your Organization's Resilience?

Our work in resilience creates tools, techniques, and methods that help organizations manage operational risk and improve operational resilience.

Resilience Products and Services
You can contribute to your organization's resilience by using Resilience products and services. Explore how OCTAVE, CERT-RMM, and other solutions can help your organization.

Secure Coding in C and C++This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation.

Applied Cybersecurity, Incident Response, and ForensicsThis five-day, hands-on course is designed to increase the knowledge and skills of technical staff charged with administering and securing information systems and networks. Security topics such as vulnerability assessment, systems administration, network monitoring, incident response, and digital forensics will offer a comprehensive defense-in-depth experience.

Information Security for Technical StaffThis five-day course is designed to provide participants with practical techniques for protecting the security of an organization's information assets and resources, beginning with concepts and proceeding on to technical implementations. The courses focuses on understanding and applying the concept of survivability through the effective management of risk, threats, policy, system configuration, availability, and personnel.

Develop Secure Code

SCALe The SCALe conformance process consists of commercial, open source, and experimental analysis that is used to analyze various code bases to perform conformance testing against CERT secure coding standards.

Secure Coding Standards These rules and recommendations help you to develop (and evaluate) secure, safe, and reliable software.

Secure Coding in C and C++ This course provides practical advice on secure practices in C and C++ programming, provides a detailed explanation of common programming errors in C and C++, and describes how these errors can lead to code that is vulnerable to exploitation.

Security Assurance Methods in Support of Cyber Security This workshop focuses on four critical software assurance areas: security requirements, software supply chain assurance, mission thread analysis, and measurement. It exposes you to concepts and resources available to use for addressing software security assurance across the acquisition and development lifecycles.

Information Security for Technical Staff This course teaches you practical techniques for protecting the security of your organization's information assets and resources, beginning with concepts and proceeding on to technical implementations.

Use Our Tools

Discover and Mitigate Existing Vulnerabilities

Our researchers have created
vulnerability analysis and
secure coding tools and techniques to help engineers detect, eliminate, and avoid creating vulnerabilities in software.

Monitor Your Networks

Our researchers have developed cutting-edge network analysis
techniques and tools for operational use in high-impact environments so that organizations are better able to defend their networks from potential attacks.

Improve Your Forensics Investigations

Our researchers have created technologies, capabilities, and practices organizations can use to develop incident response capabilities and facilitate incident investigations. Visit our
tools repository and
contact us if you have any questions.

RosecheckersThe Rosecheckers tool performs static analysis on C/C++ source files. It is designed to enforce the rules in the CERT C Coding standard. Rosecheckers finds some C coding errors that other static analysis tools do not.

Compiler-Enforced Buffer Overflow EliminationCompiler-Enforced Buffer Overflow Elimination is a tool that prevents buffer overflows in multithreaded code and has additional features not found in other memory safety mechanisms.

Basic Fuzzing Framework (BFF)Basic Fuzzing Framework (BFF) is a mutational file fuzz testing tool that consists of a Debian Linux virtual machine, the zzuf fuzzer, and a few associated scripts. A version of the BFF that runs natively on Mac OS X is also available.

Failure Observation Engine (FOE)Failure Observation Engine (FOE) is a mutational file-based fuzz testing tool for finding defects in applications that run on the Windows platform.

Read About the Latest Vulnerabilities and Mitigations

CERT/CC BlogOur team members regularly contribute to the CERT/CC blog to discuss vulnerability discovery, analysis, and disclosure. The team also presents techniques for managing and mitigating vulnerabilities. Team members discuss current research in these areas and in the field of secure coding.

SEI BlogOur team members also contribute to the SEI blog to discuss a variety of topics that relate to security, software development, and more.

Report a Vulnerability

We accept reports of security vulnerabilities and serve as a coordinating body that works with affected vendors to resolve vulnerabilities. Report a vulnerability or contact us if you have questions about vulnerabilities.